Slashdot Mirror
Spam Solutions from an Expert
Mod N writes "SecurityFocus has posted a nice survey of anti-spam technologies by spam expert Neal Krawetz, in which he delves deeply into the specifics and pitfalls of the numerous proposed solutions. Krawetz makes it obvious that securing the email infrastructure is a very complex problem that many of the current (simple) solutions can't solve alone."
Why has spam grown to what it is today? It is an undeniably effective means of cheap marketing. What we need to do is come up with a way to stop this not on our end, but by looking at as a social problem or making it non-worthwhile to the spammers. If nobody ever responded to spam, spammer wouldn't bother.
That's like saying a all theoretical attacks is not worth securing against somebody's fallen victim to it. Sure, there's some way-out ideas that can be dismissed that way, but this one seems so simple I'm pretty sure somebody who runs both spam and a porn site could pull it off...
The Chinese government will probably solve any internal spam problem pretty quickly.
I mean, if you start by shooting all convicted spammers, the profession tends to stop attracting replacement members.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
I cant even get my scanner to correctly identify a regular text document, it gets most of it, but it still misses a lot of letters. A computer program could do this, but you would need either a very large database of the letter pictures (most places use all different kinds of text pictures, and add in a degree of randomness). Or you would need a very developed algorithm to detect the letters (in which case you would be making oodles of money from the scanner industry. . . spam would be the least of your worries.
In the end i think it is inevitable that software will eventually break this system, but as soon as it does, there will be another system in place. . . .
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
Make no mistake...
The most effective spam solution at this time is RBL blacklisting. Bottom line.
When you take into account that the biggest problem of spamming is bandwidth consumption and network resources, there is NO better way than blacklisting spam sources and refusing to communicate with them.
Services like Spamcop's RBL really piss off the spammers. All client-side filtering is counterproductive and ultimately useless as you constantly have to update the systems to catch new efforts on the part of spammers to thwart the filters. At least with RBLs, the spammers' connections are immediately refused as soon as they're ID'd.
If you want to identify what is the most effective solutions, it's simple. Look at what pisses off the sleazebag spam community the most. That's relay blacklisting. They don't DDOS the moronic client-side filtering companies because the spammers know they're useless, and even if they're not, the spammers can't tell. What hurts them are when systems say, 'screw you spammer, (click)' and that's done via relay blacklisting.
Why are spammers increasingly changing mail relays and pursuing open proxies? Because of RBLs. Even AOL uses RBLs (including Spamcop). All the major ISPs look at the RBLs because they are THE most effective way of stopping spam. And they're the only way to actually shut down the spammers.
Forget client or server-side content-based filtering. They will NEVER work. RBLs are responsible for forcing spammers into corners of IP space, forcing them to deploy worms and viruses to infiltrate new IP space (which exposes them to more prosecution). RBLs ** WORK ** !
Challenge / response systems are broken anyway, even if spammers can't break it.
Why? Because from: is forgeable, and viruses use other people's real addresses constantly. Every day, one of my 40 spam emails is a C/R email from someone that I've never heard of. Am I going to click the link and authorize my email address? Fuck no. But I'll never be able to send email to that person. I realize that's a *tiny* incidental, but it's still broken by design.
If your C/R system includes a solicitation to purchase said C/R system, you're a fucking spammer. Fuck you.
There are no trails. There are no trees out here.
From spoofing verification won't make a difference... it'll slow down mail services and won't make a dent in spam.
Spammers are now rotating IP space all over the place... they're also beginning to NOT forge header information, so what are you left with?
Recognizing rogue relays and blacklisting them, even if they have valid header information. Any improvement to SMTP protocol won't make a bit of difference.
Most mail servers and large ISPs are already employing additional methods of header-verification. It hasn't stopped spam.
RBLs ARE working. They're making spammers scramble for un-blacklisted IP space. That's why they're running overseas; that's why they're sending out worms and viruses. Lord help us if IPv6 gets introduced... we'll never be able to stop spam then.
Not so much that it would come from Charlie, but that the C/R would have an In-Reply-To that referenced the unique Message-ID of Bill's mail.
When the mail goes out, Bill's system would record the Message-ID (and probably the recipient, but that could screw up on forwarders if you try for a hard match on the two) and then allow Charlie's C/R because it matches the whitelist.
I think we are attacking Spam from the wrong direction. Attempting to stem the flood of incoming spam is tough - everything about the identity of the incoming spam can be faked. However, we could alternatively attempt to prevent the replies going back the other way.
There are two inevitable facts:
1) In order for spamming to be worth someone's effort, they have to somehow get money from people. If NOBODY replied to them, then spamming would stop overnight.
2) Something in the content of the Spam must be real - a reply address - a web site, a phone number or something. Block traffic to that location and the spammer gets no money and dies.
Hence, I think they may be vulnerable. Educating people not to reply to SPAM would help - it only takes a mere handful of people to respond to a SPAM to make it profitable - but if education could drop that handful to a mere one or two - then we could succeed in putting more spammers out of business simply by cutting their margins to the point where it wasn't worth the hassle.
Where are the TV adverts: "Replying to Spam is Bad!"....we know that the morons who reply to spam are suckers for advertising - they are as likely to believe a well targetted TV advert as a crappy email shot. If Spam is costing the ISP's as much as they say it does - then funding some TV ads might not be impossible.
What if we made it illegal to respond to an emailed advertisement that was not clearly labelled as such, that would help to deter people from responding. Such a law would be next to impossible to enforce - but we are trying to deter the gullible here - so it might not have to be enforcable - just very well advertised.
Since every SPAM has to either advertise a product that you can buy from somewhere - or direct you to a postal address, a phone number or a web site - then that route for getting money back to the spammer could be blocked.
The return route has to be genuine. There is no point in them sending you a fake phone number or faked web address. If the phone companies (who are often also ISP's - or have at least some cause to want to kill spam) were to block calls to and from phone numbers that were seen in Spam - then the reverse route for the money would be curtailed. Whilst you can afford to change the aparrent source of your spam and fake those addresses for each new mail shot, you can't change your phone number for every couple of dozen orders you take. Similar considerations apply to web sites and postal addresses.
If it was required for credit card companies not to transfer money to businesses that employed spammers to push their goods - then that would also help some.
It wouldn't take many people to deliberately reply to spammers - to lead them on into thinking you want their product - to send them fake cheques or bogus credit card numbers. If they only get a handful of positive responses per million spams - then it wouldn't take more than a few determined people per million (eg ISP employees) to clutter up the the spammer's cash collection mechanism to the point where it's too much hassle for him to sort out the real orders from the bogus ones.
I don't pretend to have all of the answers - but there seems to be far too little creative thinking along these lines.
www.sjbaker.org
Naturally we may be inclined to believe that this grants us superiority to the computer. That, while stating some arbitrary facts taken from some textbook somewhere, a computer can never accomplish X objective.
Therein lies the fallacy. The computer does not identify that it is in an infinite loop, nor can it, because it is not given the benefit of looking at the actual code. If a compiler were designed to read into code for things like while(true) loops, which naturally could result in infinite loops, then already you would be cutting back on the instances of these problems.
Determining if there is an infinite loop requires a conscious understanding of the code itself, which is no trivial matter. It is not, however, something that could be deemed impossible.
As with all fields of science, there will be those who say "Well, I haven't seen it yet, so it will never happen"... but skeptics are everywhere, and the presence of skepticism is hardly a measure of credibility... rather, a measure of how pious certain peoples assumptions are.
Solutions are always found in math, and never in magic. Don't underestimate the computer, and more importantly, don't underestimate your own brain. You don't perceive things the way you do 'just because'... and that's what's so exciting.